A Practical Guide to AML/CTF Compliance for Australian Businesses

Highlights

• AUSTRAC is implementing Tranche 2 AML/CTF reforms to new industries.
• Why businesses are integral in the fight against financial crime.
• How technology helps alleviate compliance obligations.
• Quick checklist: how to prepare for the Australian’s regulatory reforms.
• Frequently Asked Questions.

Tranche 2 is here…

If you’re reading this, you’re likely aware that Australia is implementing the Tranche 2 Anti-Money Laundering / Counter-Terrorism Financing (AML/CTF) reforms, but if you’re here just for kicks, read on, Australia’s regulatory landscape is shifting and some of what’s written here may impact you.

Right, what exactly is Tranche 2 again?

Australia's Tranche 2 reforms extend AML/CTF obligations to Designated Non-Financial Businesses and Professions (DNFBPs), including accountants, lawyers and real estate agents, with compliance registration required from 31 March–29 July 2026. Even though registration closes at the end of July, DNFBPs will need to start complying with the new legislation from July 1.

Beyond legal obligations, being unprepared for Tranche 2 can cause negative impacts to your business, from damaging overall reputation, to eroding client trust, or attracting undesirable customers. It’s smarter to put the hard yards in now for long-term security and client trust.

Now, let’s assume we’re all on the same page and agree:

• Tranche 2 is a big change and a long time coming (since 2007).
• The implications of getting this wrong can be very serious.
• Whether you’re aiming for the March or July 2026 deadline, those dates aren’t when you started getting ready, it’s when you need to be ready.
• You’ve still got a business to run day-to-day, this shouldn’t get in the way.
• You needed 6-9 months to get your AML/CTF program sorted.

If your program hasn't kicked off yet, what needs to happen to get it moving?

To help with that question, we’ve written a five part guide on the steps your business will need to take and ways to implement them, with a quick checklist and FAQs at the end of the article.

‍

1. Understanding Financial Crime Risks
2. Knowing Your Customers
3. Monitoring Your Customers
4. Reporting to AUSTRAC
5. Storing and Managing Customer Data
6. Frequently Asked Questions

Part 1: Understanding your financial crime risks – exposing threats via risk assessment

How well do you know the ways in which your business can be targeted by bad actors? Or ways to stop them? What about how you prevent them from targeting you in the first place and the steps to take if something bad does happen?

Understanding the key areas of your own business that are subject to attack, targeting, exploitation and all manner of corruption is critical to working out what changes you’ll need to make, any gaps you have and how to demonstrate that you’re playing your part in the fight against financial crime.

AUSTRAC (Australian Transaction Reports and Analysis Centre) expects regulated industries to capture all areas of Money Laundering / Terrorism Financing (ML/TF) risk, from customers, delivery and channel risks through to products. A risk assessment is a key process to identify, manage and mitigate potential threats across all business functions.

It plays both a crucial role in maintaining regulatory compliance and in establishing a strong framework for scalable and sustainable growth.

Assessing your business's AML/CTF risks includes but is not limited to:

• Reviewing customer types.
• Assessing whether products and services are scaling with growth.
• Checking affiliated geographic locations for any regulatory changes or loopholes.
• Understanding exactly how you deliver services to your customers.

Screening company data is a smart step toward establishing a solid risk assessment and the best way to discover if any weak areas exist within systems and processes.

As Jeremy Moller, a well-known risk advisory lawyer in Australia, says, “businesses must check their data now”, waiting until the reforms are live is too late. Understanding your company data (what information you gather and from where, how it’s stored, used and shared, and ensuring your data is up-to-date) is a vital first step.

This task is usually the responsibility of a risk and compliance officer (or similar), but what if your business has never had to deal with regulatory compliance before? This is where technology and automation are the super heroes and businesses need to review their systems, processes and technologies to assess if they’re up to the task for reporting obligations, or whether they need to be updated. If resources are tight, especially around recruitment, upgrading software to automate compliance obligations is a cost-effective solution to start your AML/CTF procedures.

The data cleanse – streamlining AML/CTF obligations

Think of your business like an ecosystem where each component needs a certain level of nurturing and attention. If there's an aspect of the environment that's neglected, weeds find their way in and begin destruction from the inside. Data can be that overlooked component where insidious breaches occur that may not be detected until it's too late. This is why it’s important to check and “cleanse” your data regularly ensuring every part of your business is up-to-date to streamline AML/CTF obligations and related processes.

Data checklist:

• Is your client list still up-to-date?
• Is the right information captured against them?
• Is your company data stored in the correct place?
• Do you have a solid Know Your Customer (KYC) process in place? 
• Do you have reliable PII protection?
• Are you monitoring your customers’ transactions against financial crime?

Qing Liu, Moody's Senior Director of Compliance & Third Party Risk in Australia, emphasises how businesses need to ensure their data is up-to-date to mitigate risk, and the best way to do this is “to leverage technology”. The right technology helps identify what is needed, what needs to go and what is required.

While traditional compliance processes are bogged down by manual forms, email chains and siloed data, technology automates and simplifies data governance and ensures it is current, securely held and safely transferred.

AUSTRAC expects any suspicious activity to be reported, so your systems need to be set up to flag any suspect transactions. If you’re a designated service and suspect a customer isn’t who they appear to be, a Suspicious Matter Report (SMR) needs to be sent to AUSTRAC so they can investigate further. Your report could be the key to solving a serious financial crime.

Who’s responsible?

As mentioned previously, data protection and regulatory compliance traditionally falls under the role of a risk and compliance officer, but the responsibility is company-wide and all staff need to be trained on what to look out for and who to notify if something doesn’t look right. A training program should be implemented to get everyone up-to-speed before the deadline, and to allow enough time to practice new skills around regulatory obligations.

Some key areas in your training program should include understanding:

• The obligations under the AML/CTF Act and Rules.
• The consequences of non-compliance.
• Types of AML/CTF risk the business might face and consequences of such risk.
• AML/CTF processes and procedures employees must carry out.
• What to do when employees form a suspicion.

Fighting financial crime shouldn’t interrupt business-as-usual, but be an integral part of business workflows, while maintaining a regular data cleanse helps ensure your risk assessment is performed with as much ease and accuracy as possible.

Non-compliance isn’t an option. Regulatory obligations may have been one of those items on the back (way back) burner, but putting it off can now result in serious, business-damaging penalties:

• Civil Penalty Orders: Large, court-imposed fines used for serious or systemic gaps in compliance.
• Enforceable Undertakings: Legally binding agreements where an entity commits to fixing specific issues under AUSTRAC’s supervision.
• Infringement Notices: Fixed-fee fines issued directly by AUSTRAC for specific administrative or technical breaches.
• Remedial Directions: Formal written instructions requiring an entity to take a specific action to address a compliance failure.

In short, start your AMLF/CTF program by checking your data, then performing a risk assessment.

Part 2: Knowing Your Customers – the key to financial crime detection

Whether real estate agents, accountants, lawyers or gaming venues, collecting customers' personal information is a normal function of business operations. In doing so, businesses hold a certain level of responsibility to protect their customers' data. This is known as Know Your Customer (KYC).

KYC or IDK? What are the Australian KYC requirements under the new reforms?

How well do you really know your customers, because “I don't know?” won't cut it under AUSTRAC’s new regulatory reforms. You may have the necessary information to perform transactions on someone’s behalf, but what are those transactions for, where do they end up and for whom?

The 2026 regulatory changes are targeted to Designated Non-Financial Businesses and Professions (DNFBPs) and if your business falls under this category, you’re required by law to abide by the new Tranche 2 reforms, because DNFBPs are now being treated like financial institutions in the eyes of regulators. Why? Because criminals treat them that way: as conduits for laundering illicit funds.

What are the Customer Due Diligence procedures and obligations?

While a certain level of customer identification no doubt already exists in your business, it may need levelling up to meet regulatory obligations. As a reporting entity, customer identification procedures need to be applied to all your customers because you’ll need to know who you’re dealing with, both customers and visitors, including any individuals closely associated with Politically Exposed Persons (PEPS). 

Stepping away from legacy "tick-box" compliance, your program should be risk-based and outcome-focused (the rigid A/B split requirement has been removed) and cover Ongoing Customer Due Diligence (OCDD) procedures, including transaction monitoring and Enhanced Customer Due Diligence (ECDD).

The Amendment Act will require DNFBPs to conduct initial CDD to:

• Collect and verify information about the identity of a customer.
• Understand potential risks in providing designated services to that customer.

Review the following steps against your current processes:

• Capture and verify personal identification (e.g. from driver’s licence, passport or government-issued proof of age card). The best way to do this is by plugging into a digital Document Verification Service (DVS). 
• Screen customers against PEPs and Sanction lists. As part of your AML/CTF program, you need to show how PEPs are identified through ECDD and what steps are taken when dealing with them.
• Assign a risk category to each customer (low, medium, or high).
• For higher-risk individuals, conduct full KYC checks to verify their details, which may include facial recognition and address verification.
• Monitor customer transactions to identify behaviours that may signal suspicious activity or that increase the customer risk profile.

PEP talk – identifying and managing PEP risk

When it comes to your customers, you need to have risk-based procedures in place to identify whether an individual customer or beneficial owner is a Politically Exposed Person (PEP). You’re expected to carry out customer identification and verification procedures to identify a PEP before offering a designated service.

These procedures may include:

• Asking a customer if they are a PEP during onboarding.
• Checking a customer on the internet, including sanctions lists and social media.
• Using databases and reports from third parties or businesses that analyse corruption risks.

If any suspicious activity is flagged, it must be reported to AUSTRAC as soon as possible to determine whether your customer poses a financial crime risk. Knowing who your customers are (as much as protocol dictates) is a vital part in protecting your business from bad actors using your services to launder illicit funds. Meanwhile, having systems set up to do the grunt work around digital identity verification is how a lot of designated services are responding to this regulatory obligation.

If you’re still a little foggy on how to deal with PEPs, you can visit AUSTRAC for further guidance.

Part 3: Monitoring Your Customers – it’s about intelligence, not tick-box compliance

Are Compliance Officers the new Private Investigators?

Perhaps not, but reporting entities should treat compliance as intelligence gathering, not just a regulatory requirement. When you truly understand your customers and their needs, managing your compliance obligations becomes smarter, faster and far more effective.

The good news is businesses don’t have to figure it out all by themselves. Assigning some of the compliance procedures to a third party simplifies regulatory tasks.

A Customer Due Diligence arrangement (CDD) can be agreed to with an external business whose systems are already regulated under the AML/CTF Act. Leveraging Anti-money laundering software where it doesn’t interfere with gathering intelligence and monitoring data, eases CCD procedures, because the right technology grants more time to compile information and form sound suspicions when red flags arise.

BNDRY Smart Forms are designed to make this traditionally hard step easy, by creating a secure and centralised workspace to request, collect and collaborate on CDD.

Features of the BNDRY platform:

• Smart Forms collects and verifies customer information (DVS, ID documents, risk category).
• Determines customer risk scores, what actions have been taken and what’s overdue.
• Simplifies reporting for Suspicious Matter Reports (SMRs).
• Stores customer records through document uploads in a centralised data hub.

A solid KYC program helps businesses identify any financial crime risks customers may bring to the business which, of course, benefits the overall company profile and protects the company’s reputation. Regulatory obligations are expected to be embedded into everyday business practices and with the right technology, businesses can stay ahead of AML/CTF tasks and reporting duties.

Part 4: Understanding AUSTRAC Reporting Requirements

Reforms recap

The Tranche 2 reforms emphasise the need for stronger compliance measures to combat the serious problem that money laundering and terrorism financing poses to Australian businesses. New reporting entities have been assigned to help gather intelligence because they’re prime targets for financial crime and, with risk and compliance training, they are the best way to spot bad actors.

DNFBPs are expected to report into AUSTRAC when they weren’t previously required to because:

• Financial crime is on the rise costing Australia ove $60 billion annually.
• Businesses that move money have become targets for terrorism financing and money laundering.
• AUSTRAC needs help gathering intelligence to fight financial crime.

Show me the data! Or, what to report to AUSTRAC

What your business reports on is determined by your activity, but don’t worry, you don’t have to submit all reports, all the time.

The types of reports you may need to submit are:

• Suspicious Matter Reports (SMR): When you reasonably suspect a customer or affiliate is not who they claim or a transaction is linked to criminal activity or proceeds of crime.
• Threshold Transaction Reports (TTR): For individual physical currency transactions valued at A$10,000 or higher. 
• International Value Transfer Service Reports (IVTS): All international transfers of value transactions including money, virtual assets and other property.
• Cross Border Movement Reports (CBM): When carrying physical currency or bearer negotiable instruments such as checks, traveler's checks and money orders, payable to bearer valued at A$10,000 or higher into or out of Australia.
• Annual Compliance Reports: Annual report summarising how you’ve met your AML/CTF obligations in the previous year.

Additionally, businesses must keep records of all transactions, customer identification and information about their AML/CTF program and associated activities for seven years. This ensures you stay compliant and helps in the detection of financial crime.

Detailed information in each report and record keeping duties can be found on AUSTRAC’s website.

5. Storing and Managing Customer Data

Expect the unexpected

Let’s assume you’ve got your AML/CTF program in place: you’ve reviewed and improved risk oversight to the business, assessed your CDD obligations and trained employees on the Tranche 2 reforms and associated duties. Then a red flag appears against a customer, one you’ve been in a relationship with for years, but you’re struggling to gather their data because it’s stored in various places, kind of like trying to find puzzle pieces hidden in different boxes.

The Financial Action Task Force (FATF) states how technology helps “minimise weaknesses in human control measures”. The old manual approach is no longer viable and companies are looking toward new technologies to help manage and securely control their data, especially sensitive KYC data.

The BNDRY platform is purpose-built to help regulated entities, including new Tranche 2 reporting entities, manage their new AML/CTF responsibilities with less friction and more confidence.

BNDRY automates business workflows by pushing data into a centralised hub for easy retrieval and reporting:

• Consolidated Entities: consolidate customer data and risk-related information into a unified profile. This makes it easy to retrieve customer information when preparing Suspicious Matter Reports.
• Investigation Workspaces: capture red flags, attach evidence, document unusual matters and collaborate internally to investigate potential suspicion. Create an auditable case file to gather intelligence required to populate an SMR.
• Regulatory Reporting Workflows Built-in: populate and generate reports for all AUSTRAC reports, including SMR and TTR reports. Populate them using BNDRY’s built-in AUSTRAC forms, or configure automations that transform your existing data into AUSTRAC-ready files.
• Audit-ready Record-keeping: store all AML/CTF-related documents (customer ID records, transaction activity, investigations and reports) in one place that are easily retrieved for audits or reporting.

AML/CTF obligations don't have to feel painful, it's simply a matter of knowing what's expected from your business and having systems in place to help with your regulatory compliance.

‍

The wrap up

With Australia’s AML/CTF reforms coming into effect by July 2026, designated non-financial businesses and professions (DNFBPs) must be ready to comply with stricter anti-money laundering and counter-terrorism financing laws.

To avoid legal risk, reputational damage and operational disruption, businesses should act now. Preparing involves understanding how your business could be targeted by financial crime, conducting a thorough risk assessment, cleansing and securing company data, training staff and implementing or enhancing Know Your Customer (KYC) and Customer Due Diligence (CDD) procedures.

Monitoring customer behavior, identifying suspicious transactions and ensuring accurate reporting to AUSTRAC are all critical components of compliance, and with the right technology and systems, businesses can embed compliance into everyday operations, making it a seamless part of business-as-usual rather than a disruptive obligation.

The hard reality is financial crime isn’t going to disappear, and ignoring this reality may be costly to both your business and the wider community. Let’s all work together to minimise this risk.

To help, here’s a quick checklist of what you need to do to prepare:

• Enrolment: Sign up with AUSTRAC between 31 March 2026 and 29 July 2026.
• Compliance Officer: Appoint an Australian resident at the management level to oversee your program.
• Risk Assessment: Document how your specific services (e.g., managing client funds or property sales) could be exploited for money laundering.
• AML/CTF Program: Create a written policy tailored to your business (you can use AUSTRAC’s "Starter Kits" released in early 2026).
• Know Your Customer (KYC): Establish procedures to verify the identity of clients and "beneficial owners" before providing services.
• Reporting Systems: Prepare to lodge Suspicious Matter Reports (SMRs) and Threshold Transaction Reports (TTRs) for cash above $10,000.
• Staff Training: Conduct "red flag" awareness training for all employees by the July 1st deadline.
• Record Keeping: Set up a secure system to store all compliance records for 7 years.

FAQs

What are the AUSTRAC reporting deadlines for Tranche 2?

Enrolment opens for newly-regulated Tranche 2 sectors on 31 March 2026, with full AML/CTF obligations (including having an AML/CTF program in place) commencing 1 July 2026 for industries such as legal, accounting, real estate and jewellery. Businesses then have until 29 July 2026 to notify AUSTRAC of their AML/CTF compliance officer, and a 3-year transition period runs until 30 March 2029 for existing Tranche 1 reporting entities to move to the reformed CDD obligations. 

What are the penalties for non-compliance?

Failure to meet your AML/CTF obligations may result in AUSTRAC taking formal action to enforce compliance or seeking financial penalties.

To ensure reporting entities adhere to the law, AUSTRAC can utilize the following enforcement actions:

• Civil penalty orders: Court-ordered fines for serious non-compliance.
• Enforceable undertakings: Written commitments by an entity to improve its systems.
• Infringement notices: Immediate fines for specific, documented breaches.
• Remedial directions: Written instructions requiring an entity to take specific steps to fix compliance gaps.

Read about further penalties on AUSTRAC.

What is a Suspicious Matter Report (SMR)?

An SMR is a report a reporting entity must submit if they have reasonable grounds to suspect a transaction may be related to money laundering, terrorism financing, tax evasion, proceeds of crime, or other serious crimes – or if they suspect a customer is not who they claim to be. Once submitted, businesses must not disclose to anyone other than AUSTRAC that a suspicion has been formed or an SMR lodged, commonly known as the "tipping off" offence.

Who is considered a Politically Exposed Person (PEP) under AML/CTF laws?

A PEP is an individual who holds a prominent public position in a government body or international organisation, in Australia or overseas, including heads of state, ministers, senior executives, judges, military officers and central bank governors, as well as their immediate family members and close associates. Being a PEP doesn't automatically indicate criminal activity, but their positions of power make them a higher risk for corruption, bribery, money laundering or terrorism financing.

What records must businesses keep under AML/CTF obligations?

Businesses must keep full and accurate records relating to their AML/CTF program, Customer Due Diligence and transactions, retaining CDD records for at least 7 years from the end of the business relationship and transaction records for at least 7 years from the date of the transaction. Records must be stored securely with access limited to authorised staff, and must be in English or easily translatable into English.

What is the difference between CDD and ECDD?

CDD (Customer Due Diligence) is the baseline obligation requiring businesses to establish the identity of customers, determine if they're acting on behalf of another person, and assess the money laundering and terrorism financing risks involved in providing them a designated service – applied both initially and on an ongoing basis. ECDD (Enhanced Customer Due Diligence) goes further, requiring extra identity checks and additional information gathering, and is triggered when a customer's risk is assessed as high. For example, when the customer is a foreign PEP or a suspicious matter reporting obligation arises.

‍

Need help with your AML/CTF obligations?